From b9fe0a3e46057ce78b493be9fb50c0b7812fde95 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 8 Apr 2020 22:01:49 +0200 Subject: Mark several jackson-databind issues as no-dsa --- data/CVE/list.2019 | 6 ++++++ data/CVE/list.2020 | 26 ++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/data/CVE/list.2019 b/data/CVE/list.2019 index ab1e3bdf9f..c5c64b4146 100644 --- a/data/CVE/list.2019 +++ b/data/CVE/list.2019 @@ -765,6 +765,8 @@ CVE-2019-20331 CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh ...) {DLA-2111-1} - jackson-databind 2.10.1-1 + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2526 NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e CVE-2019-20329 (OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL serv ...) @@ -7865,6 +7867,8 @@ CVE-2019-17532 (An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057. CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.1-1 + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2498 NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -8446,6 +8450,8 @@ CVE-2019-17268 (The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.0-1 + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2460 NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer ove ...) diff --git a/data/CVE/list.2020 b/data/CVE/list.2020 index f3f572ea16..bc2141d933 100644 --- a/data/CVE/list.2020 +++ b/data/CVE/list.2020 @@ -32,11 +32,15 @@ CVE-2020-11621 RESERVED CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2682 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2680 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -1076,16 +1080,22 @@ CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid m NOTE: https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2670 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2666 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11111 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2664 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -1383,11 +1393,15 @@ CVE-2020-10970 RESERVED CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2642 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2662 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -2078,12 +2092,16 @@ CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows at CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2660 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2659 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -4459,18 +4477,24 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-o CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2631 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -6030,6 +6054,8 @@ CVE-2020-8841 (An issue was discovered in TestLink 1.9.19. The relation_type par CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...) {DLA-2111-1} - jackson-databind + [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2620 NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default -- cgit v1.2.3